# Authenticate requests to Cube with Auth0

## Introduction

In this guide, you'll learn how to integrate Auth0 authentication with a Cube
deployment. If you already have a pre-existing application on Auth0 that you'd
like to re-use, please skip ahead to [Configure Cube][ref-config-auth0].

We'll be creating an Auth0 [application][link-auth0-docs-app] and
[API][link-auth0-docs-api], configuring a [rule on Auth0][link-auth0-docs-rules]
to add custom claims to vended JWTs, and finally configuring Cube to use Auth0.

## Create an application

First, go to the [Auth0 dashboard][link-auth0-app], and click on the
Applications menu option on the left and then click the Create Application
button.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/628fe537-c596-4596-a0d8-d2b5cddd8315/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

In the popup, set the name of your application and select Single Page Web
Applications.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/699e7614-238e-41c8-b267-c07db21d964c/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

Next, go to the application's settings and add the appropriate callback URLs for
your application (`http://localhost:4000` for the Developer Playground).

### Custom claims

You can also configure custom claims for your JWT token. Auth0 has two SDKs
available; [Auth0.js][link-auth0-js] and the [Auth0 SPA
SDK][link-auth0-spa-sdk]. We recommend using the SPA SDK wherever possible, [as
per Auth0's own developer advice][gh-auth0-spa-sdk-issue34]. If you're using
`@auth0/auth0-angular` or `@auth0/auth0-react`, then the SPA SDK is
automatically included.

Open the Auth0 dashboard, click on 'Rules' and add a rule to add any custom
claims to the JWT.

#### Auth0 SPA SDK

<InfoBox>

Take note of the value of `namespace` here, you will need it later to [configure
Cube][ref-config-auth0].

</InfoBox>

```javascript
function (user, context, callback) {
  const namespace = "http://localhost:4000/"
  context.accessToken[namespace] =
  {
    'company_id': 'company1',
    'user_id': user.user_id,
    'roles': ['user']
  }
  callback(null, user, context)
}
```

## Create an API

If you're using the Auth0 SPA SDK, you'll also need to [create an
API][link-auth0-api]. First, go to the [Auth0 dashboard][link-auth0-app] and
click on the APIs menu option from the left sidebar, then click the Create API
button.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/6727f749-4def-464b-a7bb-2c086d37c051/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

In the 'New API' popup, set a name for this API and an identifier (e.g.
`cube-app`), then click the Create button.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/95d883b6-35b6-47e9-9b9a-ea99a898ef01/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

<InfoBox>

Take note of the Identifier here, as it is used to [set the JWT Audience option
in Cube][ref-config-auth0].

</InfoBox>

In your application code, configure your API identifier as the audience when
initializing Auth0. If you're using the `@auth0/auth-react` package for your
application front-end, this might look something like this:

```tsx
<Auth0Provider
  domain={process.env.AUTH_DOMAIN}
  client_id={process.env.AUTH_CLIENT_ID}
  redirect_uri={window.location.origin}
  onRedirectCallback={() => {}}
  audience="cube"
>
```

Refer to Auth0's documentation for instructions on configuring
[Angular][link-auth0-angular] or [Vue][link-auth0-vue] applications.

## Configure Cube

Now we're ready to configure Cube to use Auth0. Go to your Cube project and open
the `.env` file and add the following, replacing the values wrapped in `<>`.

```dotenv
CUBEJS_JWK_URL=https://<AUTH0-SUBDOMAIN>.auth0.com/.well-known/jwks.json
CUBEJS_JWT_AUDIENCE=<APPLICATION_URL>
CUBEJS_JWT_ISSUER=https://<AUTH0-SUBDOMAIN>.auth0.com/
CUBEJS_JWT_ALGS=RS256
CUBEJS_JWT_CLAIMS_NAMESPACE=<CLAIMS_NAMESPACE>
```

## Testing with the Developer Playground

### Retrieving a JWT

Go to the [OpenID Playground from Auth0][link-openid-playground] to and click
Configuration.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/a40aaeba-1a16-426c-b8a0-8e2be23572e2/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

Enter the following values:

- **Auth0 domain**: `<AUTH0-SUBDOMAIN>.auth0.com`
- **OIDC Client ID**: Retrieve from Auth0 Application settings page
- **OIDC Client Secret**: Retrieve from Auth0 Application settings page
- **Audience**: Retrieve from Auth0 API settings

Click 'Use Auth0 Discovery Document' to auto-fill the remaining values, then
click Save.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/e2c10228-27c9-4ca9-ac2b-9ebd1ae11f06/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

<WarningBox>

If you haven't already, go back to the Auth0 application's settings and add
`https://openidconnect.net/callback` to the list of allowed callback URLs.

</WarningBox>

Now click Start; if the login is successful, you should see the code, as well as
a button called 'Exchange'. Click on it to exchange the code for your tokens:

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/01719292-3186-40d5-8ffa-adc1a8087163/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

Copy the `access_token` from the response, and use the [JWT.IO
Debugger][link-jwt-io-debug] to decode the token and verify any custom claims
were successfully added.

### Set JWT in Developer Playground

Now open the Developer Playground (at `http://localhost:4000`) and on the Build
page, click Add Security Context.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/f63817d8-9729-4b7f-a36c-02518de422e9/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

Click the Token tab, paste the JWT from OpenID Playground and click the Save
button.

<div style={{ textAlign: "center" }}>
  <img
    src="https://ucarecdn.com/892b39e7-4d57-4dba-957a-dad8ec34fe68/"
    style={{ border: "none" }}
    width="80%"
  />
</div>

Close the popup and use the Developer Playground to make a request. Any data
models using the [Security Context][ref-sec-ctx] should now work as expected.

## Example

To help you get up and running, we have [an example project which is configured
to use Auth0][gh-cube-auth0-example]. You can use it as a starting point for
your own Cube application.

[link-auth0-angular]: https://auth0.com/docs/quickstart/spa/angular/01-login
[link-auth0-vue]: https://auth0.com/docs/quickstart/spa/vuejs/01-login
[link-auth0-docs-app]: https://auth0.com/docs/applications
[link-auth0-docs-api]: https://auth0.com/docs/get-started/set-up-apis
[link-auth0-docs-rules]: https://auth0.com/docs/rules
[gh-auth0-spa-sdk-issue34]:
  https://github.com/auth0/auth0-spa-js/issues/34#issuecomment-505420895
[link-auth0-app]: https://manage.auth0.com/
[link-auth0-js]: https://auth0.com/docs/libraries/auth0js
[link-auth0-spa-sdk]: https://auth0.com/docs/libraries/auth0-spa-js
[link-auth0-api]:
  https://auth0.com/docs/tokens/access-tokens#json-web-token-access-tokens
[link-jwt-io-debug]: https://jwt.io/#debugger-io
[link-openid-playground]: https://openidconnect.net/
[ref-config-auth0]: #configure-cube
[ref-sec-ctx]: /product/auth/context
[gh-cube-auth0-example]:
  https://github.com/cube-js/examples/tree/master/auth0